TL;DR: Weak, reused, and already-stolen passwords still let attackers in because many password policies only enforce basic complexity rules, according to Netwrix. Blocking weak credentials at creation time shifts control left, reducing a predictable entry path that reactive tools only see after compromise.
NHIMG editorial — based on content published by Netwrix: The left back everyone underestimates
Questions worth separating out
Q: How should security teams stop credential stuffing against human accounts?
A: Security teams should block weak, reused, and compromised passwords before they are accepted, rather than relying on detection after login.
Q: Why do weak passwords still matter if organisations already use MFA?
A: Weak passwords still matter because MFA does not eliminate the value of a valid first factor.
Q: What breaks when password policy only enforces complexity rules?
A: Complexity-only policy breaks because it allows predictable and previously exposed passwords to remain usable.
Practitioner guidance
- Block weak, reused, and compromised passwords at creation time Reject passwords that appear in breach corpuses, common-password lists, or obvious pattern sets before the account is accepted into production.
- Replace complexity-only rules with breach-aware screening Keep length and character requirements, but add checks for reuse, predictable substitutions, and dictionary-based variants.
- Align account recovery with the same password controls Ensure reset and recovery flows use the same rejection logic as initial password creation, because attackers often target the weakest path rather than the normal login screen.
What's in the full article
Netwrix's full blog post covers the operational detail this post intentionally leaves for the source:
- How Password Policy Enforcer blocks weak, leaked, and commonly used passwords at the point of creation
- The specific password policy approach the vendor recommends for reducing credential stuffing exposure in Active Directory environments
- Why reactive tools such as antivirus and EDR do not close the identity gap created by reusable passwords
👉 Read Netwrix's analysis of why weak passwords still drive credential stuffing risk →
Credential stuffing and weak passwords: what IAM teams miss?
Explore further
Weak password acceptance is still an avoidable identity control failure. The article’s central point is not that attackers are clever, but that many environments still permit predictable and reused credentials at the point of creation. That makes the weakness structural, not incidental. In identity governance terms, the control failed before authentication ever began, which means the programme has not closed the most basic human identity exposure path.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- A separate finding from our research shows that 1 in 4 organisations are already investing in dedicated NHI security capabilities, which signals growing recognition that identity sprawl cannot be managed with ad hoc controls alone.
A question worth separating out:
Q: Who is accountable when compromised passwords are still accepted?
A: Accountability sits with the identity programme that owns password policy, recovery flow design, and enforcement across the directory and connected applications. If known-bad passwords can still be created or reset, the organisation has allowed a preventable access control failure to persist. Standards such as NIST CSF support that accountability through access governance and continuous improvement.
👉 Read our full editorial: Weak passwords still drive credential stuffing risk across identity